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Abstract 

We outline a bicategorical syntax for the interaction between public 
and private information in classical information theory. We use this to give 
high-level graphical definitions of encrypted communication and secret 
sharing protocols, including a characterization of their security properties. 
Remarkably, this makes it clear that the protocols have an identical 
abstract form to the quantum teleportation and dense coding procedures, 
yielding evidence of a deep connection between classical and quantum 
information processing. We also formulate public-key cryptography 
using our scheme. Specific implementations of these protocols as 
nondeterministic classical procedures are recovered by applying our 
formalism in a symmetric monoidal bicategory of matrices of relations. 



1 Introduction 

1.1 Background 

Whitehead credited Hamilton and De Morgan with the invention of "universal 
algebra", the idea that we can describe many mathematical structures as sets 
equipped with functions that are subject to equations [![. Modern object- 
oriented programming is done in essentially the same way: to define a data 
structure, we equip a type with methods and insist that implementations pass a 
test suite. The programming language gives us a syntax to express an interface 
as well as a way to write implementations, each of which picks out a different 
semantics for the interface. Lambek [2| showed that such syntactic descriptions 
of interfaces correspond to free cartesian closed categories, and implementations 
are simply cartesian closed functors from those syntactic categories to the 
category of sets and functions. The related area of information flow Q is 
the application of type theory to security. The types correspond to security 
levels like "public" and "private" , and a well-typed program is a proof that an 
attacker cannot distinguish two computations from their outputs if they only 
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vary in their private inputs. Such a derivation system corresponds to a cartesian 
closed category. 

Similarly, in quantum information theory, a categorical approach developed 
initially by Abramsky and Coecke 0, [H, @] has been shown to be extremely 
fruitful, based on the category of finite-dimensional Hilbert spaces. And in 
physics, Feynman diagrams also follow this pattern, except instead of using a 
category presented syntactically, it uses a category presented graphically. 

The mathematical notion underlying all these areas is that of symmetric 
monoidal category, now widely recognized as an important unifying concept 0] ■ 
Given this observation, it is natural to consider what role can be played by 
symmetric monoidal bicategories in the description of classical phenomena in 
computer science. Bicategories are algebraic structures with an extra layer 
of descriptive power compared to ordinary categories, and have already been 
demonstrated to be of importance in quantum field theory Q and quantum 
information Q , where their key strength lies in their ability to encode important 
connectivity and locality information in a natural way. 



1.2 Overview 

We propose a bicategorical syntax for reasoning about cryptographic processes 
in classical computation. The extra structure of our higher syntax provides 
a geometrical mechanism for distinguishing public and private information, 
and also their interactions, including publication, privatization, copying and 
information retrieval processes. 

Since bicategories have a well-studied 2-dimensional graphical calculus, this 
becomes available for the description of our classical computational processes, 
and gives a powerful and elegant formalism with which to reason about them. A 
particular diagram can he interpreted as a history of computational events, with 
the vertical direction representing time, which flows from bottom to top. To use 
the terminology of physics, they are 'spacetime diagrams' for our computation. 
For example, the following diagram represents an encrypted communication 
protocol making use of a one-time pad: 




Alice 




(1) 



The left-hand side of this equation describes the encrypted communication 
protocol itself, while the right-hand side describes its intended effect. Equating 
the two represents the assertion that the protocol is correctly implemented. 
The dashed vertical line, which is not part of the formalism, represents the 
separation of ownership between Alice and Bob which is of importance to our 
interpretation. 
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In these diagrams, regions represent public information, lines represent 
computational systems, and vertices represent computational processes. In the 
example above, E represents encryption, a process that consumes private data 
and publishes it as public data, while D represents a decryption process, which 
modifies private data in a way that depends on the public data. Note that this 
approach differs from the one taken by the theory of information flow [3j , where 
every level of security is a 0-cell. 

A key advantage of our scheme is that the interpretation of a computational 
process depends entirely on its type, which here refers not only to its domain 
and codomain, but also to the entire local configuration around the vertex in 
a 2-dimensional sense. Rules governing the interaction between private and 
public data are enforced automatically by the formalism, such that impossible 
or absurd operations — such as a local system modifying nonlocally-held public 
data, or making use of data to which it does not have access — cannot even be 
expressed. This is a strong form of locality, which is a natural and automatic 
property of the bicategorical formalism. 

Remarkably, the form of the graphical equation ((T|) corresponds exactly to 
that of the equation for quantum teleportation, as described in the bicategorical 
approach to quantum information [9] . One of the most important procedures 
in quantum theory, and yet uncovered only relatively recently fioj ]. quantum 
teleportation is a procedure whereby two parties who share pre-existing 
quantum entanglement can transmit a quantum state between them, by 
only communicating classical information. A strong comparison to classical 
encrypted communication can be made: two parties who share a pre-agreed 
secret key can transmit a secret message between them, by only communicating 
public information. While easily drawn, this analogy between quantum 
teleportation and classical encrypted communication does not to our knowledge 
appear in the literature. 

Using our bicategorical formalism we are able to take this comparison 
seriously, developing an abstract categorical description of encryption that 
makes the analogy mathematically precise. This indicates a close link between 
quantum and classical information which has not previously been recognized. 
We can loosely describe this correspondence in the following way: 

Classical Quantum 

Private information Quantum information 

Public information Classical information 

Publication Measurement 

One-time pad creation Entangled state creation 

Just as the one-time pad is a fundamental resource for encrypted communica- 
tion, so quantum entanglement is a fundamental resource for quantum telepor- 
tation. This paper demonstrates that the relationship is not merely analogous, 
but mathematically exact, with quantum randomness and classical nondeter- 
minism giving rise to the same formal structures. 

To implement these classical protocols we must choose a bicategory in 
which to apply our higher syntax. We show that for classical nondeterministic 
computation, the symmetric monoidal bicategory 2Rel of matrices of relations 
provides the correct higher algebraic setting, which we define in detail in 
Section [2] Relations provide a standard semantics for nondeterministic 
computation [llj, and our bicategory builds on this. Solutions to our graphical 
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equations in this bicategory correspond to actual implementation schemes 
for the protocols in a classical nondeterministic setting. Some degree of 
nondeterminism is essential; for example, creation of a one-time pad would 
not be cryptographically useful if the same secret key was created every time. 

Having introduced our bicategory 2Rel, we describe our abstract bicategor- 
ical syntax in Sections [3] and |U We apply this to encrypted communication, 
secret sharing and key exchange procedures in Section [5] 

2 A Bicategory of matrices of relations 
2.1 Construction 

We now describe the bicategory 2Rel which will be the target for our 
constructions. It can be described quite simply in terms of finite sets and 
partitions: 0-cells are finite sets, 1-cells are finite sets partitioned by their source 
and target sets, and 2-cells are relations getting along with the partitioning. All 
the structure of a bicategory can be defined quite naturally here. We give a 
careful definition below, although for must purposes an intuitive understanding 
of the structure is quite adequate. 

The n-cells of 2Rel are defined in the following way. O-cells are finite sets, 

denoted S,T, A 1-cell A : S — >• T is a family of finite sets A t , s indexed by 

s 6 S and t 6 T. For 1-cells A, B : S -> T, a 2-cell p : A B is a family of 
relations p t . s : A ttS B t . s indexed by s £ S and t £ T. 

To demonstrate that these form a bicategory, we first observe that for 
each pair of 0-cells S, T, the 1-cells S —> T and the 2-cells between them form 
a category in a straightforward way, using ordinary relational composition. 
Identity 1-cells ids '■ S — > S are chosen as the family S S , S ', which is defined 
as the 1-element set if s = s' and the 0-element set otherwise. Horizontal 
composition is a family of functors 

o : Hom(5, T) x Hom(T, U) -> Hom(,5*, U) (2) 

for each ordered triple S, T, U of 0-cells. On 1-cells A : S ->• T and B ; T ->• U, 
we define this as 

(B o A) UtS = JJ B Utt x A t , s - (3) 

t£T 

This extends to 2-cells in a natural way. 

The final pieces of structure are the structural 2-cells of the bicategory. For 
each family of composable 1-cells A : S — >• T, B : T — s> U and C : U —> V we 
require an invertible 2-cell 

4>a,b,c ■ {Co B)oA^Co(B o A). (4) 

Writing out the source and target using definition ©, we define </> as the 
composite of canonical isomorphisms 

lit ((LL c v,u x B Utt ) x At,.) 

- UuUt (°v,u x (Bu, ( x4 t , s )) 

- Uu(C v , u x (U t S„, t xA t ,,)). (5) 
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For each 1-cell A : S — > T we also require invertible unit 2-cells 

\ A : I T o A -> A, (6) 
p A : A o I s -> A (7) 

We define Ayi and as the obvious isomorphisms 

U t ,(id r ) M / x A 4 , )S = ]J t , 8t,t> x A t /, s ~ A M (8) 
JJ t , A t , s / x (ids) s /, s = Uf A t,s> x <W - A t , a (9) 

It is then straightforward to show that the required pentagon and triangle 
equations commute. 

The bicategory 2Rel also has the following property for endomorphisms. 

Lemma 2.1. In 2Rel, if 2-cells a and r are endomorphisms, then a o r = id 
implies r o a = id. 

Proof. Suppose at first that a and r are relations on a finite set <S*. Then if 
(tot~ ids, there must be at least one y € S such that (x, y) € a and (y, x) G r. 
But then there must be exactly one such y, otherwise we could not ensure that 
x =/= z E S implies fly S S* with (a;, y) G <r and (y, x) G r. It follows that a and 
t are graphs of mutually inverse bijections, and so in particular tog = ids also. 

We now turn to the general case, for which <r, r : A A are 2-cells on 
some A : S — > T. But then a and r are defined to be a family of relations o~t lS 
and Tt iS , and the condition a o t = id^ reduces to the condition that for all 
s £ S and i 6 T, cr tjS o r t , s = idy^ s . By the argument above this implies that 
T~t, s ° o-t,s — idyi t „ , and hence r o a = i&a- d 



2.2 Symmetric monoidal structure 

In fact, 2Rel can be given the structure of a symmetric monoidal bicategory, 
for which the tensor product of two 0-cells is their cartesian product as sets. For 



full details see [12[, in which an equivalent bicategory Mat(Rel) is described. 
Here, 0-cells correspond to finite cardinalities, 1-cells correspond to matrices of 
sets, and 2-cells correspond to matrices of relations. The monoidal structure 
is the usual tensor product of matrices, also known as the Kronecker product. 
The tensor product of an m x n matrix with an r X s matrix is an mr x ns 
matrix. 

The monoidal unit for this product is the 1-element set in 2Rel. This 
labels the empty region in the graphical calculus. We can then construct the 
scalar s, defined as the category Hom(l, 1), represented in the graphical calculus 
as lines and boxes on a white background. The scalars of a symmetric monoidal 
bicategory necessarily form a symmetric monoidal category, which in our case 
is simply Rel, the symmetric monoidal category of finite sets and relations. 

In our formalism, regions are labelled by types of public information. 
No information is needed to pick the single element of the one-element 
set, so restricting attention to the scalars implies neglecting all nontrivial 
public information. What remains is private computational systems and their 
dynamics, and so we see that 2Rel treats purely private computations as 
arbitrary nondeterministic processes. 
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3 Private information 



3.1 String diagrams 

We assume that a single, isolated computational system is located at any 
moment at a single point in space, and so over time its history traces out a 
line in spacetime: 




The vertices a and b represent arbitrary computations that act on the system. 
We could have many such systems, interacting in a complicated way: 



(11) 



This diagram describes two pre-existing systems, and a third system which is 
produced from a computational process c with no input. Two of the systems 
switch positions without interacting, represented by the crossed worldlines. A 
process d then takes place, which takes two systems as input and produces one 
system as output. 

These diagrams have already found extensive use in the foundations of 
computer science and logic (l3(, and also in the foundations of quantum 
computing They are often called string diagrams, and are a rigorous 

and powerful notation for morphisms in symmetric monoidal categories [l4j . 
Strings correspond to objects of the monoidal category, vertices correspond to 
morphisms, and placing diagrams side-by-side corresponds to the tensor product 
operation. 

We assume that our string diagrams are valued in Rel, the symmetric 
monoidal category of finite sets and relations. This forms the scalars of 2Rel, 
as discussed in Section [2 We will interpret an object of Rel as representing a 
classical computational system, with a particular finite set of internal states. 
Morphisms are interpreted as computational dynamics, nondctcrministically 
transforming states of the domain into states of the codomain. 
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3.2 Self-dualizability and one-time pads 



A system is called self-dualizable if it can be equipped with unit and counit 
morphisms 



(12) 



satisfying the following equations, called the snake equations: 





(13) 



We say that the unit and counit morphisms witness the self-duality. In FRel 
every object A is self-dualizable, with the unit morphism r] : 1 — > A x A given 
canonically by rj = ^2 aej ^(a,a), and with the counit given by the converse of 
this relation. 

Not every unit and counit map witnessing self-dualizability will be of this 
form, but they can be characterized in the following way. 

Lemma 3.1. In a monoidal category, for a self-dualizable object A, there is 
a bijection between choices of unit and counit morphism, and isomorphisms 
A~A. 

Proof. Since A is self-dualizable, we can pick unit and counit morphisms (|12[) 
witnessing this. Given a second unit and counit 



(14) 



also witnessing a self-duality, we can construct the following morphisms of type 
A^A: 



(15) 



Applying the snake equations (|13[) it can be shown that these morphisms are 
inverse to each other. Conversely, given an isomorphism s : A — > A, we can 
form the following unit and counit morphisms: 



_L 



T 



(16) 



It is straightforward to show that these constructions are inverse, so we 
have a bijection between unit and counit morphisms and automorphisms, as 
desired. □ 
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In Rel, the automorphisms of an object are exactly the bijections. As a 
result every unit morphism r\ : I — > S x S is of the form ^2 s (s,tt(s)) for some 
permutation 7r of S. That is, the unit morphisms represent nondeterministic 
processes whereby the first party receives an arbitrary s £ S, and the second 
party receives 7r(s). If the permutation n is known, its inverse can be applied 
by the second party, and both parties will then share matching keys which 
can be used as a cryptographic resource. So given a self-dualizable object, we 
can interpret a unit morphism as a key exchange procedure. The counit can 
similarly be interpreted as a key verification procedure, which terminates the 
computation iff the two parties have mismatched keys. 



3.3 Kernels, deletion and random data 



Morphisms of Rel can have elements of their domain which are not related 
to any elements of their codomain. These describe situations where the 
computation halts. Given a relation p : A — > B, its kernel is a relation k : 
K —¥ A such that p o k = 0, the empty relation, and such that k is universal 
with this property: 

„ P 

K > A =ZZZZ=$ B 

\ / (17) 

X 

The universal property is that for all relations a : X — > A with p o a = 0, then 
a factors through k. The morphism k then characterizes the elements of A on 
which p halts. The construction of kernels extends in a similar way to arbitrary 
2-cells in 2Rel. 

For a finite set A there is a unique relation of type A — » 1 that has zero 
kernel. We interpret this as a process that eliminates the system A, without 
halting the computation. We denote this graphically in the following way: 



1 



(18) 



The converse process represents the nondeterministic preparation of a system 
in an arbitrary, 'random' state: 



1 



(19) 



These are related by the unit and counit morphisms (fT2"j) witnessing self- 
dualizability via the following equations: 



1 



(20) 



1 



(21) 



Each of these has a natural interpretation in terms of nondeterministic classical 
computation: the equalities (|20[) say that if you nondeterministically create 
shared keys and then delete one of the keys, the remaining key is uniformly 
random; while the equalities (|21l) say that if you have a given key, it is always 
possible that another key produced nondeterministically might match it. 



4 Public information 
4.1 Graphical calculus 

We now consider a graphical notation for correlation between many computa- 
tional systems. Already explored in the context of quantum information 
here we investigate its applications to classical information processing for the 
first time. Consider a family of systems carrying private data, existing simulta- 
neously without interacting. We can draw this straightforwardly in our string 
diagram notation as follows: 



(22) 



Each vertical line represents a separate computational system. 

Now suppose that all of these systems hold the same information, in a 
completely redundant way. Inventing a new notation, we indicate this by 
shading the effective 2-dimensional area swept out by the worldlines of our 
systems: 






(23) 



We have presented this as nothing more than a notational convenience. But in 
fact, if we include these regions formally as elements of our notation, we obtain 
precisely the graphical notation for a bicategory. So our richer formalism has a 
rigorous mathematical foundation, extending that of our original notation. 

We interpret these 2-dimensional areas as representing public information, 
contrasting with the 1-dimensional lines in Section [3] representing private 
information. Private information is held at a single point in space, and can be 
controlled or manipulated however its owner desires. Public information can be 
accessed at any point on its worldsheet, but cannot be modified by local actions, 
since it is held redundantly over a finite spatial region. So public information is 
more accessible, but as a consequence less mutable. 

This can be considered an abstraction of real public information storage 
systems, such as the Domain Name Service, which stores public information 
redundantly on many independent computers. This makes the data easier 
to access, since it is more likely there will be a copy of the data nearby 
that can be consulted. But the downside is that information update is no 
longer a local operation: complex algorithms are required to synchronize the 
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information held by the individual computers. It would be interesting to 
consider whether an extension of our formalism could address these issues of 
distributed computation. 

Since we are thinking intuitively of public information as formed from a large 
collection of correlated systems, it makes sense that we should be able to copy 
the public information by splitting this family of systems into two parts, and 
delete the information by deleting each constituent system. We denote these 
operations in the following way: 




On the left-hand side is the intuitive picture in terms of families of perfectly 
correlated computational systems, and on the right-hand side is the formal 
component of our graphical calculus which represents it. We can also form 
the converses of these operations: 




The first of these represents the process of comparing two pieces of public data. 
In the case that the values are different, this cannot be successful and we might 
expect the computation to halt, which will be demonstrated by the concrete 
relational model we examine below. The second represents the creation of public 
data in a nondetcrministic uniform fashion. 



4.2 Topological axioms 

As with the bicategorical syntax for quantum information [9(, in order to 
support their interpretations, we require these copying, deleting, comparison and 
uniform creation components to satisfy certain equations. They are topological, 
in that they amount to saying that any composite diagram is determined only 
by its connectivity. 
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O = (31) 

Each of these equations is consistent with the interpretation we give to the 
basic components (l24|) (|27| . For example, the first equality labelled ((28)) 
represents the fact that copying public information and then deleting the new 
copy results in the identity; the first equality labelled (I5TJ1) represents the fact 
that exchanging public information and then comparing gives the same result 
as simply comparing; and equation (|31l) states that copying public information 
and then immediately comparing yields the identity. 

The following theorem demonstrates that these structures are easy to work 
with in 2Rel. 

Theorem 4.1. Every 0-cell in 2Rel carries structures (|2~T|) satisfying 

equations (|28p - (|3ip in an essentially unique way. 

Proof sketch. A 1-cell A : 1 — > S is determined by an S-indexed family of finite 
sets A s , and its isomorphism class is determined by the cardinalities of those sets. 
Every such 1-cell has an ambidextrous adjoint, meaning precisely that values 
can be given for structures P4")) - (|2"T|) that satisfy equations (|!?5|) - (f2T)]) . The 
result is a Frobenius algebra structure [lij , which will be commutative exactly 
when each of the finite sets A s has cardinality 1, which satisfies the equations 
labelled (|3T)|) . The resulting structures automatically satisfy equation (|31D . □ 

Indeed, such a structure in 2Rel gives rise to a commutative dagger-Frobenius 
algebra in Rel, corresponding to a discrete groupoid with respect to the 
classification of such structures as abelian groupoids [III EBj- This suggests 
an expansion of our formalism to the case where objects of the bicategory 
are arbitrary abelian groupoids. It would be interesting to consider what 
procedures in classical information might be naturally modelled by such an 
extended formalism. 

4.3 Interacting private and public data 

Interesting phenomena arise when we study interactions between public and 
private information. There are three basic forms that such an interaction can 
take: converting private data to public data; converting public data to private 
data; and using public data to modify private data. 
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Conversion processes between public and private data take the following 
forms: 



P 



S 



(32) 



Here P is a publication process converting private data into public data, 
and S is a sampling process converting public data into private data. Their 
interpretations rests entirely on their types; there arc no equations which we 
require them to satisfy. These processes need not be deterministic, or invertible, 
in general. We could also allow them to have a kernel, meaning that the 
computation will halt on some inputs. 

The final type of process we introduce is the controlled computation, which 
performs an operation on private data depending on the value of some public 
data: 









c 







(33) 



Such an operation can modify the private data, but not the public data. 

Lemma 4.2. A controlled computation cannot modify public data. 

Proof. We can use the topological behaviour of public information to rewrite 
our controlled computation vertex C in the following way: 









c 







c 



(34) 



In this form it is clear that the public data is not modified, since it is explicitly 
copied before C is implemented. □ 

This result fits well with our intuition about public data as a being carried by 
a large, correlated family of systems. To change the value of the public data 
would require modifying all of these systems, but the process C only has access 
to a restricted subset, as made explicit by the open boundary on the left-hand 
side of the diagram. 
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5 Modelling cryptographic procedures 



5.1 Encrypted communication 

Suppose Alice is sending an encrypted message to Bob. We use a 2-cell E to 
represent Alice's encryption process, which relates the private plaintext P and 
the private key K to the public ciphertext C: 

C C 



E 



(35) 



P K 

Similarly, we represent Bob's decryption process D as a 2-cell that relates the 
public ciphertext and private key to the same ciphertext and a private plaintext. 



C P 








D 






C K 



(36) 



Encryption and decryption are deterministic; key generation is not. We 
represent key generation as a special 2-cell, the curried identity relation on 
the set of keys K. 

K K 

W 



This is the unit morphism for a self-duality on K, as described in Section [21 

Using our topological language, we can express correctness of encrypted 
communication in the following way: 





(37) 
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This is the same 2-dimensional equation as that used in [9j to describe 
quantum teleportation. The encryption step takes the place of the measurement 
operation, and the decryption step takes the place of the controlled unitary 
correction. The ciphertext takes the place of the classical bits transmitted 
from Alice to Bob. This provides an intuition for why no faster-than-light 
communication is possible with entangled particles: Alice and Bob merely share 
a quantum variant of a one-time pad, and the actual encoded message must still 
be sent at some finite speed. 

The simplest nontrivial implementation of this protocol is the encrypted 
communication of a single bit. We can describe concretely the values of E, D 
and the key creation step 77 as 2-cells in 2Rel which correspond to this scenario. 
We choose C = P = K to be the 2-element set, and the 2-cells take the following 
values: 

-( 

/ 

D = 

V 

rj = ( (1 1) ) (40) 

Here E is a matrix containing a single relation from a 4-element set to a 
2-element set, which is exactly the multiplication operation for the group Z2; 
D is matrix of invertible single-bit operations to apply depending on which bit 
is published at the encryption step; and rj is a matrix with a single entry, the 
relation representing nondeterministic creation of the pair of keys (0, 0) or (1, 1). 
Using the definition of the bicategory 2Rel, it can be checked that these values 
satisfy equation (j3"T|) . 

However, our formalism allows us to carry out an analysis of the protocol 
in its abstract form, and hence draw conclusions which will apply to any 
particular implementation. To focus on its algebraic properties, we can simplify 
equation (|37[) topologically in the following way: 



D 





(38) 



(39) 



We can describe a variety of security properties in a graphical way. Here is the 
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first, which is the primary security property for encrypted communication: 




u 

T 



(42) 



This says that if we encrypt a message using one copy of a one-time pad, and 
then delete the other copy of the one-time pad, this is equivalent to deleting our 
original message and producing a random ciphertext. So in particular, deleting 
the key causes the original message to be unrecoverable. This also ensures that 
the whole space of possible keys is being used. 

We can use our formalism to derive from this security property a strong 
constraint on the encryption operation E. 

Theorem 5.1. If the encryption step in classical encrypted communication 
satisfies property (|4"2"|) . then encryption is not invertible unless the space of 
messages is trivial. 

Proof. Suppose encryption is invertible. Then composing both sides of (|4"2")l 
with E~ 1 gives the following graphical expression: 




E- 1 

^7 



(43) 



T 



Hence the identity process on the set of messages factors through the one- 
element set. □ 

We can draw a quite different conclusion for the decryption process D. 

Theorem 5.2. In classical encrypted communication, the decryption step is 
invertible. 

Proof. From equation (|41[) representing correctness of encrypted communica- 
tion, we apply the topological properties of public information to obtain the 
following equivalent equation: 



D 



E 



(44) 
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This says that D has a right inverse given by E with its top-left and bottom- 
right legs twisted in the manner indicated. However, by Theorem 12.11 if an 
cndomorphism is a left inverse then it must also be a right inverse, and hence 
our theorem follows, with the following expression for D^ 1 : 



n 



E 



(45) 



□ 



It follows that we can reconstruct E from the knowledge of D and its inverse. 

Theorem 5.3. For an implementation of classical encrypted communication, 
we have 



E 



D- 



(46) 



Proof. We apply the topological properties of public information to expres- 
sion (|45|) to obtain the following: 



D~ 



E 



(47) 



The right-hand side of this expression evaluates to E, by the topological 
properties (f^Hj) of 2-dimensional regions and the snake equations (|13l) . □ 

While property (|4"2")l is primary, there are other security properties of the 
encryption process that we could consider. The first states that if we encode with 
a random key, this is equivalent to deleting the original message and producing 
random ciphertext: 
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Secondly, we could encode a random message with a specified key: 




This property says that this is the same as deleting the key, and producing a 
random ciphertext. 

We can also consider security properties for the decryption process. 











D 




• 



This says that if an attacker chooses nondeterministically from the space of 
all possible keys, every possible message can be produced, regardless of the 
ciphertext. So if an attacker has no knowledge of the key, they cannot extract 
information from the ciphertext. 

In fact, we can use our formalism to show that all of these security properties 
follow from the primary security property (|42|) . 

Theorem 5.4. In classical encrypted communication, (|42[) implies (|48|) . (|49[) 
and 0. 

Proof. The implication (|4"!2)) (|48l) follows from the topological property ([20)1 
of the deletion map. For the other implications, we compose expression (|4"5"1) for 
D^ 1 with the deletion map at the top-right leg, obtaining the following: 
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D- 1 
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(51) 



Every invertible 2-cell in Rel is a family of bijections, and hence its converse 
is its inverse. Taking the converse is a functorial operation, and so taking the 
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converse of of the first and last diagram here, we obtain property (|5U|): 



D 



1 



For the final property (|49| , we postcompose this expression with the 2-cell D 1 , 
obtaining the following expression: 









D- 1 




1 



(52) 



We can use this to prove security property (|49l) . where we also make use of 
expression f|46[) giving E in terms of D^ 1 : 



E 




This completes the proof. 



(53) 



□ 



5.2 Secret sharing 

We can represent correctness of a secret sharing procedure in the following way: 



E 



D 



(54) 
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On the left-hand side we begin with some pre-existing public information. This 
is the information to be communicated by the secret sharing procedure. We 
prepare two correlated systems forming a one-time pad, and then manipulate the 
first copy by a procedure D that depends on the value of the classical data. The 
result is a pair of messages, which are our ciphertexts. Both are then brought 
together and consumed by a process E, producing public information. This 
process is successful when the result is to copy the original public information. 

The important security property of a secret sharing procedure is that if only 
one ciphertext is available, then no information about the original message can 
be regained. A strong, constructive way to phrase this is to say that if one of the 
ciphertexts is erased, the other becomes uniformly random, and independent of 
the original message. This gives two conditions, with the following graphical 
representations: 







D 







(55) 
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(56) 



Equation (154[) has an identical structure to the quantum dense coding equation 
given in 0. 



5.3 Key exchange 

(g x ) y (g y T 





Alice 



Bob 



Alice 



Bob 



(57) 
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Our final study is DifHe-Hellman key exchange [17], a procedure whereby 
two parties who share common public base information can obtain a shared 
secret key by exchanging only public information. The bicategorical diagram 
representing it is given as equation (1571) . The symmetric monoidal bicategory 
structure is essential here, as it gives meaning to the overlapping of parts of the 
diagram. 

Ambient public information represents the base g to be used by the protocol. 
Alice and Bob nondeterministically choose private keys x and y respectively 
which they duplicate. They then each apply a controlled operation D, which 
in the conventional implementation depends on public information p, and 
transforms private information as q i— >• p q with respect to some fixed cyclic 
group structure. The result of this is then published and transferred to the 
other party, where D is applied once again. As a result, both parties share the 
key g xy . 

The protocol is implemented correctly if, neglecting the public data produced 
during the procedure, the private keys are identical and uncorrelated with the 
initial base. Erasing the public data is necessary for information-theoretical 
security in the classical case, and for maintaining coherence in any quantum 
interpretation. 

Our graphical formalism captures this structure in a clear way, which 
moreover can be used to formally verify correctness of an implementation. 
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